Security¶
This document aims to explore in depth the security considerations around Mir based compositors.
Threat Model¶
Mir is a C++ library for building compositors, not a product itself. As such, when discussing the threat model for Mir, it is useful to discuss it in terms of an actual product that is built on Mir. With this in mind, we will define the threat model of Ubuntu Frame in this document.
Ubuntu Frame Threat Model Diagram¶
Ubuntu Frame is published as a snap. As such, the threat model for frame assumes that the snap is secure, and proceeds to outline the frame snap’s interactions with the outside world.
%%{ init: { 'flowchart': { 'curve': 'monotoneY' } } }%% flowchart shell((Mir-based Shell)) vnc_server(VNC Server) vnc_client(VNC Client) osk(On-screen Keyboard) snapd(Snapd) operator_app(Operator App) user(User) display(Display) app(App) subgraph snap [Snap] vnc_server--input-->shell shell--screen content-->vnc_server osk--content/input-->shell shell--input-->osk end shell--contents/configuration--->display snapd--configuration-->shell display--visuals-->user operator_app--help message-->shell user--input events-->shell display--properties-->shell vnc_server<--vnc-->vnc_client app--window contents-->shell shell--input/window management-->app classDef boundary fill:none,stroke-dasharray: 5 5 snap:::boundary
Cryptography¶
There is no cryptography used in Mir, no direct dependency on en/decryption, hashing or digital signatures.